Techniques in Attacking and Defending XMLWeb Services by vev19514

VIEWS: 8 PAGES: 35

									                Techniques in Attacking and
                Defending XML/Web Services



                    Jason Macy & Mamoon Yunus
                    Crosscheck Networks – Forum Systems
                    jmacy@crosschecknet.com myunus@forumsys.com
AppSec DC           617-938-3956
November 13, 2009




                       The OWASP Foundation
                       http://www.owasp.org
Agenda
 1. Introduction to XML/Web Services Threats

 2. Techniques for Defending XML Threats

 3. XML Attack Examples and Classification
    • SQL Injection
    • Denial of Service
    • XSD Mutation

 4. Review Attack Examples by:
    • Attack Definition: Scenario Setup
    • Attack Vectors: Building Penetration Tests
    • Post-Attack Analysis: XML Vulnerability Detection
    • Countermeasures: XML Gateway



                                                          OWASP
                                                                  2
                      Introduction to XML Threats
                                                    SQL Injection

                            Vectors                      XSD Mutation

                              Vectors                        Virus
                                 Vectors

                                                                    SOAP, XML, REST

                                                             Malware

                                                         Denial of Service

                                                    Identity Discovery




Explicit Attacks
    Forced Disruption             Bring Down or Limit Enterprise Service Availability
    Information Theft             Gain Access to Enterprise Resources
    Vendor Discovery              Expose Known Traditional Attacks


           1..N source IP
Implicit Vulnerability
    Perimeter Breach                        Embedded Virus, Malware
    Infrastructure Malfunction              Parser and Data Processing Failures

                                                                                      OWASP
                New Attack Vectors

    Client       SOAP/XML      SOAP/XML




                                              Web Service



    Protocol Firewalls are Blind to XML
    Malware and Virus delivered via SOAP Attachments
    WSDL Exposes Schema and Message Structure
    Injection Attacks Exposed VIA XML Parameters
    Data Replay Attacks



                                              OWASP
 Security Testing - Base Requirements
Security Framework
    Sign, Encrypt, Decrypt, SSL

Identity Framework
    Basic Auth, SSL Auth, WS-Security Token Auth

Parameter Injection
    Database or File Driven
    Permutations for Security, Identity, and SOAP/XML

Concurrent Client Simultaneous Loading
    Denial of Service Testing

SOAP with Attachments
    Malware and Virus testing

Dynamic XSD Mutation
    Derive SOAP Vulnerability profile from WSDL Schema


                                                         OWASP
                                                                 5
           XML Security Gateway - Base Requirements


Certified PKI Infrastructure (DOD PKI)
    •   X509 Path Validation
    •   Sign/Verify, SSL Initiation, SSL Termination

Certified Security Architecture (FIPS)
    •   Key Management and Storage
    •   Physical Device Security

Transaction Privacy
    •   Encryption, Decryption, SSL

Transaction Integrity
    •   Digital Signature, Signature Verification, Schema Validation

Transaction Accountability
    •   Archiving, Logging, Reporting, and Monitoring

Transaction Threat Mitigation
    •   Intrusion Detection and Prevention
    •   Rate-based rules, Size-based rules, AntiVirus detection, Pattern recognition
    •   Structural integrity, Protocol adherence, Authorization Attempts
                                                                         OWASP
                                                                                       6
     XML Attack Examples and Classification

1. SQL Injection Attack
   • Classification: Injection, Data Excavation

2. Denial of Service Attack
   • Classification: Resource Depletion

3. XSD Mutation Attack
   • Classification: Data Structure Attacks, Resource Manipulation



          CAPEC: Common Attack Pattern Enumeration and Classification
                    National Cyber Crime Division of DHS
                                http://capec.mitre.org
                                 http://nvd.nist.gov/




                                                              OWASP
                                                                        7
 XML Web Services
       based
SQL Injection Attack




                       OWASP
                               8
               SQL Injection
                Unsecured
                                       o PHP
                                       o NuSOAP




                              Apache          MySQL




How to Attack
   Construct SQL Escape Sequences
   Construct SQL 1=1 Query
   Inject into XML Node values

Discovered Exposure
    Sensitive Data Loss
    Database Corruption

                                                  OWASP
                                                          9
SQL Injection
1. What is it?
    • SQL injection is a technique that exploits a vulnerability that occurs in the
      database layer of an application.

    •   Application incorrectly filters for a string literal escape characters
        embedded in SQL statements.

2. Example:
    • Good: ‘select * from accounts where username="' . $username . '"' . 'AND
       password="' . $password . ’";

    •   Evil: select * from accounts where username="" or 1=1 #"AND
        password="””;

3. Attack Vector:
    • Old: User input from a browser-based application

    •   New: XML Web Services – WSDL defined Interface


                                                                          OWASP
                                                                                      10
Component Details – MySQL Database

                                     oTest MySQL Database
                                     o phpMyAdmin UI
                                     o Accounts Table Data




                                             OWASP
                                                             11
 Component Details – PHP Application
6. Register function as a
Web Service




1. Function:
getAccounts()


2. Connect to Database



3. Construct SQL Query:
Great Vulnerability Point


4. Execute Query




5. Parse Query Results




                                       OWASP
                                               12
SQL Injection over SOAP Message – Unsecured




                                                • Pointed to Service Endpoint
                                                • Advertises use of PHP




                                              • SQL Injection over XML/SOAP




                                                   • Full Table Returned in
                                                   SOAP Response: 34 Records




                                                    OWASP                     13
                          SQL Injection
                       XML Gateway Secured

                                                               o PHP
                                                               o NuSOAP
                                       XML Gateway
Client




                                                     Apache           MySQL
         o Inbound Pattern Detection
         o Prevent Outbound Leaks




         How to Defend
            Deploy XML Gateway
            Enable Pattern Scanning IDP Rules
            Configure Response Message Size and Complexity Limits

         Advantages
             Prevent Data Loss
             Alert and Quarantine Attempted Breaches
                                                              OWASP
                                                                          14
SQL Injection over XML/SOAP – Sentry Protection Policy




                                   o Pre-built Pattern Matching for SQL
                                   Injection Detection
                                   o Extensible for Business Specific
                                   Requirements




                                                               OWASP      15
SQL Injection over SOAP Message – Secured




                                            • Pointed through XML Gateway
                                            • Endpoint Technology Obfuscated



                                             • SQL Injection over XML/SOAP




                                                 • SOAP Request Stopped by
                                                 XML Gateway




                                                  OWASP                  16
  XML Web Services
         based
Denial of Service Attack




                           OWASP
                                   17
                      Denial of Service
                        Unsecured



Client




                                                           Web Service



         How to Attack
            Loading Client with Concurrent Simultaneous Threads
            Coercive Parsing Attack

         Discovered Exposure
             Unlimited message flow
             Unfair Service SLA distribution
             Back-end CPU and I/O Saturation
                                                           OWASP
                                                                         18
Denial of Service – Unsecured




                        • Multiply Service running on IIS




                                                            • Capable of ~700 TPS
                                                            • No restrictions on Client




                                                                    OWASP                 19
                        Denial of Service
                      XML Gateway Secured


                                        XML Gateway
Client




                                                              Web Service
           o Enforce Transaction Rate




         How to Defend
            Deploy XML Gateway
            Set Allowed Transaction Rates (Group, User, or IP)

         Advantages
             Message Flow Limited to Specified Rate
             Service Throughput Fairly Distributed
             Back-end mitigated from CPU and I/O Saturation
                                                              OWASP
                                                                            20
Denial of Service – Sentry Protection Rule




                                      • 20 TPS Restriction Policy




                                        • Granular Enforceability




                                                     • Configure Action
                                                     • Custom Message




                                                                          OWASP   21
Denial of Service – Sentry Protection Action



                                        • Action: Abort Processing




                                        • Additional Options: Throttle, Block
                                        • Stealth Mode to suppress data
                                        leaks via responses




                                                • Prevent log flooding




                                                •Quarantine Messages for further
                                                analysis




                                                                         OWASP     22
Denial of Service – Secured




                              • Request: Multiply a x b sent
                              through XML Gateway




                                                               • 20 TPS Restriction triggered
                                                               • Client cannot invoke a DoS
                                                               • ~ 680 TPS service capacity remains




                                                                          OWASP                   23
Another Example: Denial of Service through Coercive Parsing

        Echo Request: s= test                                                                      Echo Request: s= test
        All responses are successful  well-formed XML                                             All responses fail  XML not well-formed
        Min 1.20 ms                                                                                Min 2.10 ms
        Max 3.50 ms                                                                                Max 5.0 ms
        Ave 1.60 ms                                                                                Ave 2.73 ms

<?xml version="1.0" encoding="utf-8"?>                                                           <?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"                            <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"                                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:s0="http://microsoft.com/webservices/">       xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:s0="http://microsoft.com/webservices/">
 <soap:Body>                                                                                      <soap:Body>
  <s0:Echo>                                                                                        <s0:Echo>
    <s0:s>test</s0:s>                                                                                <s0:s>test</s0:s>
  </s0:Echo>                                                                                       </s0:Echo>
 </soap:Body>                                                                                     </soap:Body>                       Missing “>”
</soap:Envelope>                                                                                 </soap:Envelope




                                                                > 70% Degradation by removing one character




                                                                                                                                                               OWASP                          24
 XML Web Services
      Based
XSD Mutation Attack




                      OWASP
                              25
                    XSD Mutation Attack
                        Unsecured


Client




                                                             Web Service




         How to Attack
            Obtain WSDL
            Derive Message Structure and Types from WSDL Schema
            Send SOAP Message Mutations based on Schema

         Discovered Exposure
             Code Paths not Handled for Exceptions
             Stack Traces Returned with Implementation Details
             Application Failure
                                                             OWASP
                                                                           26
XSD Mutation Attack – Lifecycle



                      Run
                     Attack




      Author                      Analyze
      Attack                      Results
      Vectors

                                            Vulnerability
                                               Report


                   Add New
                   Detection
                   Libraries




                                            OWASP           27
XSD Mutation: Building Attack Vectors




                               • Service Loaded from endpoint




• Mutant Messages generated
based on WSDL – XSD
• Data type, structure, size
mutations




                                                                OWASP   28
XSD Mutation: Analyze Attack




                                              • Test generated based on WSDL complexity



                                                     • Sample Data Value Mutation




                                                        • username contains string value mutation


                               • response reveals backend components and method calls




                                                                           OWASP                    29
XSD Mutation: Extend Detection Libraries




                                                        • Look for nusoap.php
                                                        • High Severity – Open source Parser




               • Vulnerability Detection Libraries
               • Application/Platform Specific
               • Business Specific – SSN, Credit Card

                                                                                               OWASP   30
                      XSD Mutation Attack
                     XML Gateway Secured


                                      XML Gateway
Client




                                                           Web Service
    o Enforce Inbound Schema Validation
    o Prevent Outbound Data Leaks




         How to Defend
            Deploy XML Gateway
            Enforce Inbound Message Structure and Type Validation
            Cleanse Outbound Data (Stack Traces, Sensitive Data)

         Advantages
             Reduce Parser Impact on Web Service
             Remove Vendor and Implementation Details in Response
             Protect Application Layer Code Paths on Web Service
                                                           OWASP
                                                                         31
XSD Mutation – Sentry Protection Policy




                                     • XML Gateway provides Policies to protect against
                                     XML specific attacks




                                                                      OWASP               32
XSD Mutation – Secured




1. Deploy Specialized XML Gateways – Packet Firewalls and HTML
   Application Firewalls are insufficient

2. Validate XML against a robust schema

3. Tighten Schema: e.g., string  string 2048

4. Enforce XML specific detection rules  e.g., node depth, recursive
   payloads




                                                           OWASP        33
Best Practices for Countermeasures

   Information Control – Outbound                          Information Control – Inbound
       Restrict SOAP Faults                                    Tighten Payloads
       Protect Sensitive Information                           Enforce SLA
       Audit Transaction Flows                                 Disallow SQL, Virus, Malicious Code




   Use Web Services Penetration Testing Product
       Out of the box Vulnerability Discovery
       Simplified Testing and Diagnostics of Service Endpoint
       Validation of Security Gateway Policies

   Deploy XML Web Services Gateway
       Forum Systems Sentry XML Gateway
       Barracuda
       Radware AppXML

   Deploy Centralized XML Security
       Enforce Policy Independent of Application Servers and OS Platforms
       Audit and Filter Sensitive Information
       Separate Security from Application Code


                                                                                                       34
                                                                                  OWASP
    Learn more @



www.crosschecknet.com
         and
  www.forumsys.com



                        OWASP
                                35

								
To top